Adobe has released a critical security patch (APSB17-32) for Adobe Flash Player. This update addresses a critical type confusion vulnerability that could lead to code execution. Windows, Macintosh and Linux operating systems are affected. This vulnerability is identified with CVE-2017-11292.
A security researcher from Kaspersky Labs have uncovered this new zero-day remote code execution vulnerability in Adobe Flash, which was being actively exploited in the wild. According to researchers at Kaspersky Labs, the exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. Analysis of the payload by researchers have indicated its link to a group of advanced persistent threat actors, known as BlackOasis. BlackOasis is the same group of attackers which were also responsible for exploiting another zero-day vulnerability (CVE-2017-8759) discovered in September 2017. Also, the final FinSpy payload in the current attack (CVE-2017-11292) shares the same command and control (C&C) server as the payload used with CVE-2017-8759.
This zero-day exploit is delivered through Microsoft Office document attached to a spam email, and embedded within this document is an ActiveX object which contains the Flash exploit. The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer. The exploit is a memory corruption vulnerability that exists in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class. If the exploit is successful, it will gain arbitrary read and write operations within the memory, allowing it to execute a shellcode. The shellcode then downloads the final payload (FinSpy).
FinFisher, also known as FinSpy, is surveillance software that has extensive spying capabilities on an infected system. It can secretly conduct live surveillance by turning ON infected system's webcams and microphones, recording everything the victim types on the keyboard, intercepting Skype calls, and exfiltration of files.
Affected versions of Adobe Flash Player:
Flash Player versions 126.96.36.199 and earlier for Windows, Macintosh, and Linux.
Flash Player version 188.8.131.52 and earlier for Adobe Flash Player for Google Chrome.
Flash Player version 184.108.40.206 and earlier for Adobe Flash Player for Microsoft Edge and Internet Explorer 11 on Windows 10 and Windows 8.x.
All the users of the Adobe Flash Player for Windows, Macintosh, and Linux are advised to update to Flash Player version 220.127.116.11. Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11 will be automatically updated to the latest version.
All these updates can be easily remediated through SecPod Saner. Install Saner to detect and remediate these type of threats and stay secure.